Create a specific repo for sssd role.
This commit is contained in:
commit
eccbc254fe
|
@ -0,0 +1,75 @@
|
||||||
|
# SSSD
|
||||||
|
|
||||||
|
1. [Overview](#overview)
|
||||||
|
2. [Role Variables](#role-variables)
|
||||||
|
* [OS Specific Variables](#os-specific-variables)
|
||||||
|
3. [Example Playbook](#example-playbook)
|
||||||
|
4. [Configuration](#configuration)
|
||||||
|
5. [License](#license)
|
||||||
|
6. [Author Information](#author-information)
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
Manage LDAP authentication with **SSSD** (System Security Services Daemon).
|
||||||
|
|
||||||
|
Highly inspired by [Lae's system_ldap role][lae sssd galaxy] with minors updates (test only on Debian 9 and maybe on OpenSuse).
|
||||||
|
|
||||||
|
## Role Variables
|
||||||
|
|
||||||
|
* **sssd_pkg_state** : State of new sssd packages [default : `latest`].
|
||||||
|
* **sssd_conf_manage** : If SSSD configuration should be managed with this role [default : `true`].
|
||||||
|
* **sssd_main_conf_path** : Path to set main SSSD's configuration [default : `/etc/sssd/sssd.conf`].
|
||||||
|
* **sssd_main_conf_tpl** : Template used to generate the previous config file [default : `etc/sssd/sssd.conf.j2`].
|
||||||
|
* **sssd_mkhomedir** : If home directories should be created at login [default : `true`].
|
||||||
|
* **sssd_home_path** : Path where home directories are stored [default : `/home`].
|
||||||
|
* **sssd_service_name** : SSSD's service name [default : `sssd`].
|
||||||
|
|
||||||
|
### OS Specific Variables
|
||||||
|
|
||||||
|
Please see default value by Operating System file in `vars/` directory.
|
||||||
|
|
||||||
|
* **sssd_pkg_list** : The list of packages to install to provide `sssd`.
|
||||||
|
|
||||||
|
## Example Playbook
|
||||||
|
|
||||||
|
* Use defaults vars :
|
||||||
|
|
||||||
|
``` yml
|
||||||
|
- hosts: serverXYZ
|
||||||
|
roles:
|
||||||
|
- role: ipr.sssd
|
||||||
|
```
|
||||||
|
|
||||||
|
* With a `group_vars/serverxyz.yml` file :
|
||||||
|
|
||||||
|
``` yml
|
||||||
|
sssd_domain: 'dotld'
|
||||||
|
sssd_uris:
|
||||||
|
- ldap://ldap.domain.tld
|
||||||
|
sssd_search_base: 'ou=People,dc=domain,dc=tld
|
||||||
|
sssd_bind_dn: 'cn=sssd_user,ou=apps,dc=domain,dc=tld'
|
||||||
|
```
|
||||||
|
|
||||||
|
* Then you also need to enter the `bind_dn_password` on the remote host (`/etc/sssd/conf.d/sssd_domain.conf`|`/etc/sssd/conf.d/dotld.conf`).
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
This role will :
|
||||||
|
* Install needed packages to provide `sssd`.
|
||||||
|
* Manage the default `sssd` configuration file (`/etc/sssd/sssd.conf`).
|
||||||
|
* Create an additionnal configuration file to only store the bind_password (`/etc/sssd/conf.d/domain.bind.conf`).
|
||||||
|
* Manage `sssd` service.
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
[WTFPL][wtfpl website]
|
||||||
|
|
||||||
|
## Author Information
|
||||||
|
|
||||||
|
Jérémy Gardais
|
||||||
|
* Source : …
|
||||||
|
* [IPR][ipr website] (Institut de Physique de Rennes)
|
||||||
|
|
||||||
|
[wtfpl website]: http://www.wtfpl.net/about/
|
||||||
|
[ipr website]: https://ipr.univ-rennes1.fr/
|
||||||
|
[lae sssd galaxy]: https://galaxy.ansible.com/lae/system_ldap/
|
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
# Package
|
||||||
|
sssd_pkg_state: 'latest'
|
||||||
|
|
||||||
|
# Configuration
|
||||||
|
sssd_conf_manage: true
|
||||||
|
sssd_main_conf_path: '/etc/sssd/sssd.conf'
|
||||||
|
sssd_main_conf_tpl: 'etc/sssd/sssd.conf.j2'
|
||||||
|
sssd_mkhomedir: true
|
||||||
|
sssd_home_path: '/home/'
|
||||||
|
|
||||||
|
# LDAP info
|
||||||
|
sssd_domain: ''
|
||||||
|
sssd_schema: 'rfc2307bis'
|
||||||
|
sssd_uris: []
|
||||||
|
sssd_search_base: ''
|
||||||
|
sssd_bind_dn: ''
|
||||||
|
sssd_bind_password: ''
|
||||||
|
|
||||||
|
# Service
|
||||||
|
sssd_service_name: 'sssd'
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
# Handlers file for ipr.sssd
|
||||||
|
- name: restart sssd
|
||||||
|
service:
|
||||||
|
name: '{{ sssd_service_name }}'
|
||||||
|
state: restarted
|
|
@ -0,0 +1,53 @@
|
||||||
|
---
|
||||||
|
# tasks file for ansible-role-sssd
|
||||||
|
|
||||||
|
- name: Load specific OS vars
|
||||||
|
include_vars: "{{ item }}"
|
||||||
|
with_first_found:
|
||||||
|
- "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml"
|
||||||
|
- "{{ ansible_distribution|lower }}.yml"
|
||||||
|
- "{{ ansible_os_family|lower }}.yml"
|
||||||
|
|
||||||
|
# Packages
|
||||||
|
- name: Install sssd
|
||||||
|
package:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: "{{ sssd_pkg_state }}"
|
||||||
|
with_items: "{{ sssd_pkg_list }}"
|
||||||
|
|
||||||
|
# Configuration file
|
||||||
|
- name: CONFIG sssd.conf
|
||||||
|
template:
|
||||||
|
src: "{{ sssd_main_conf_tpl }}"
|
||||||
|
dest: "{{ sssd_main_conf_path }}"
|
||||||
|
mode: 0600
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
backup: true
|
||||||
|
when: sssd_conf_manage
|
||||||
|
notify:
|
||||||
|
- restart sssd
|
||||||
|
|
||||||
|
- name: "CONFIG conf.d/{{ sssd_domain }}.conf"
|
||||||
|
blockinfile:
|
||||||
|
state: present
|
||||||
|
create: yes
|
||||||
|
mode: 0600
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
insertbefore: BOF
|
||||||
|
dest: "/etc/sssd/conf.d/{{ sssd_domain }}.conf"
|
||||||
|
content: |
|
||||||
|
[domain/{{ sssd_domain }}]
|
||||||
|
#ldap_default_authtok = password for {{ sssd_bind_dn }} after END BLOCK
|
||||||
|
when: sssd_conf_manage
|
||||||
|
notify:
|
||||||
|
- restart sssd
|
||||||
|
|
||||||
|
- name: Ensure home directories are created upon login with pam
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/pam.d/common-account
|
||||||
|
regexp: 'pam_mkhomedir\.so'
|
||||||
|
line: "session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent"
|
||||||
|
state: present
|
||||||
|
when: sssd_mkhomedir
|
|
@ -0,0 +1,56 @@
|
||||||
|
# {{ ansible_managed }} }
|
||||||
|
[sssd]
|
||||||
|
config_file_version = 2
|
||||||
|
services = nss, pam, autofs
|
||||||
|
domains = {{ sssd_domain }}
|
||||||
|
|
||||||
|
[domain/{{ sssd_domain }}]
|
||||||
|
id_provider = ldap
|
||||||
|
auth_provider = ldap
|
||||||
|
chpass_provider = ldap
|
||||||
|
#access_provider = ldap
|
||||||
|
autofs_provider = ldap
|
||||||
|
|
||||||
|
{# connection configuration #}
|
||||||
|
ldap_schema = {{ sssd_schema }}
|
||||||
|
ldap_uri = {{ sssd_uris | join(',') }}
|
||||||
|
ldap_tls_cacertdir = /etc/ssl/certs
|
||||||
|
ldap_id_use_start_tls = True
|
||||||
|
ldap_tls_reqcert = never
|
||||||
|
|
||||||
|
{# search configuration #}
|
||||||
|
ldap_search_base = {{ sssd_search_base }}
|
||||||
|
ldap_default_bind_dn = {{ sssd_bind_dn }}
|
||||||
|
ldap_default_authtok_type = password
|
||||||
|
#ldap_default_authtok = ... # See conf.d/default.bind.conf
|
||||||
|
cache_credentials = True
|
||||||
|
entry_cache_timeout = 5400
|
||||||
|
|
||||||
|
## Filter
|
||||||
|
# LDAP
|
||||||
|
#access_provider = ldap
|
||||||
|
#ldap_access_order = filter
|
||||||
|
#ldap_access_filter = (memberof=cn=groupeA,ou=Groupes,dc=domain,dc=tld)
|
||||||
|
|
||||||
|
{# mapping/attribute configuration #}
|
||||||
|
override_homedir = {{ sssd_home_path }}/%u
|
||||||
|
|
||||||
|
krb5_realm = #
|
||||||
|
|
||||||
|
# Simple
|
||||||
|
#access_provider = simple
|
||||||
|
#simple_allow_groups = groupeA,ou=Groupes,dc=domain,dc=tld
|
||||||
|
|
||||||
|
ldap_user_uuid = entryuuid
|
||||||
|
ldap_group_uuid = entryuuid
|
||||||
|
enumerate = False
|
||||||
|
|
||||||
|
|
||||||
|
[nss]
|
||||||
|
|
||||||
|
filter_groups = root
|
||||||
|
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
|
||||||
|
homedir_substring = /home
|
||||||
|
|
||||||
|
[pam]
|
||||||
|
reconnection_retries = 3
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
# vars file for Debian-based distros
|
||||||
|
sssd_pkg_list:
|
||||||
|
- sssd
|
Loading…
Reference in New Issue